cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1017
Views
0
Helpful
17
Replies

Policy Based Rouing problem over dual frame-relay circuits

cerp
Level 1
Level 1

I have a site that has two frame-relay DS1's built as point-point circuits. Both provide Internet access. I want to use PBR to send some user traffic over one T1 and some traffic over the other. I believe I've built the PBR correctly but it doesn't appear to be working. When I query the route-map I see policy routing matches. Both the packets and bytes counters are incrementing. However I am unable to resolve DNS or surf. When I put a default static route pointing out one of the interfaces I am able to surf. I have included a config. Any help would be appreciated.

17 Replies 17

lamav
Level 8
Level 8

Hi:

The access lists on both serial interfaces -- ACL 101 and 102 -- are denying all traffic coming in from the firewall, except icmp.

HTH

Victor

This config was generated by the SDM software and it currently works using a default static route with those ACL's in place. I believe that it allows return traffic that it matches to an outbound connection. It is only denying unsolicited inbound traffic.

Cerp:

Not to be repetitive, but this is your interface configuration:

interface Serial0/3/0:0.1 point-to-point

description FW_OUTSIDE#1

ip address 211.111.85.82 255.255.255.252

ip access-group 101 in

ip verify unicast reverse-path

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly

frame-relay interface-dlci 500 IETF

And here is the access list...

access-list 101 remark auto generated by SDM firewall configuration

access-list 101 remark SDM_ACL Category=1

access-list 101 deny ip 211.111.85.84 0.0.0.3 any

access-list 101 deny ip 10.100.2.0 0.0.0.31 any

access-list 101 permit icmp any host 211.111.85.82 echo-reply

access-list 101 permit icmp any host 211.111.85.82 time-exceeded

access-list 101 permit icmp any host 211.111.85.82 unreachable

access-list 101 deny ip 10.0.0.0 0.255.255.255 any

access-list 101 deny ip 172.16.0.0 0.15.255.255 any

access-list 101 deny ip 192.168.0.0 0.0.255.255 any

access-list 101 deny ip 127.0.0.0 0.255.255.255 any

access-list 101 deny ip host 255.255.255.255 any

access-list 101 deny ip host 0.0.0.0 any

access-list 101 deny ip any any log

This access list denies everything but ICMP traffic coming in from the firewall. What am I missing?

Which interface did you point that static route to? ip route 0.0.0.0 0.0.0.0 ?.?.?.?

Victor

!

The default route points to s0/3/0:0.1. I am currently surfing over that link right now.

Oh, wait a minute...Im sorry! I just noticed the ip inspect commands in your configuration...

You're running an IOS with a firewall feature set, which means that it is stateful. So, all your internally-generated traffic is automatically allowed back in....

That explains the access list question, but that leaves your initial problem still unresolved....

Joseph W. Doherty
Hall of Fame
Hall of Fame

Within route-map path-select, try setting "set default interface Serial0/3/0:0.1" and "set default interface Serial0/3/1:0.1" to "set ip next-hop x.x.x.x" where x.x.x.x is the appropriate external next hop address.

I changed the "set default interface" statement to a "set ip next-hop" statement still no change. I see the route-map matching packets, but am unable to route. As soon as I put in a static route pointing to either serial link routing starts working.

I had suspected PBR with "interface" wasn't NATing. Hopefully the "next-hop" would otherwise NAT. At this point, would need to activate debug and see what's going on.

PS;

What next hop addresses did you use?

Mohamed Sobair
Level 7
Level 7

Hi,

The (set default interface) has different concept than (set ip next-hop).

the first would perform PBR if it has exact matche in the routing table, and would therfore need (extended access-list).

therfore, the set ip next-hop would resolve

your issue , and you dont need a default route for this.

Make sure the next hop is reachable.

HTH

Mohamed

Ok, I've got it working. I changed my ACL's to extended ACL's (no change), set the route-map to set ip next-hop (no change) and then I put a default static route pointing to each of my T1's. The route-map would then send the packets out the correct interface. Does the router have to do a route lookup even if you have a route map pointing to the next hop address?

Does the router have to do a route lookup even if you have a route map pointing to the next hop address?

It depends on the set statement within the route-map.

If you use set ip next-hop address, the router will use PBR first and if it fails, it will use the routing table.

If you use set ip default next-hop address, the router will use the routing table first and then the next-hop specified in the route-map.

Please see:

http://www.cisco.com/en/US/docs/ios/12_4/ip_route/configuration/guide/piconfig.html#wp1001398

for further understand on PBR features.

HTH,

__

Edison.

Ok, but if I dont have any static routes configured I am unable to route. I could ping the next-hop IP. With the static routes configured the route-map (set ip next-hop address) is sending my user traffic out the correct interfaces. No matter what method I used I would always show my ACL's matching interesting traffic and the route-map matching packets. Very odd behaviour!

Packets generated by the router are not normally policy routed unless you configure a local PBR.

http://www.cisco.com/en/US/docs/ios/12_4/ip_route/configuration/guide/piconfig.html#wp1001559

That's the reason that a lack of 'static route' produces the result you are seeing.

HTH,

__

Edison.

If might help if you clarified what the next hop address your using with PBR and the specific statics which fixed the problem.

Since your original default route was using an interface, not a next hop, perhaps PBR doesn't "know" where the next hop is without a connected route or a static. I.e. your NAT pool is using 60.x.x.x but your physical link are 211.x.x.x. Or perhaps the issue is, without the statics, NAT doesn't see an inside to outside need for address translation.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: